Hacking forensics is the process of detecting hacking attacks and extracting evidence to report the event and conduct audits to prevent similar future attacks (if possible). It includes techniques for detecting and reverse engineering malware and advanced persistent threats, like Finfisher. More general and with an eye on practicality, without determining the nature of an incident, there is no way of knowing how to protect the system and its data better than by forensics. Simply reinstalling the system from “clean” media or from a known-good image and placing that system back into its environment may lead to it being compromised all over again.
As with Hack to learn, the usual pigeon holes are useful for organising one's thoughts on the means and methods for discovering data that resides in a computer system, for recovering deleted, encrypted, or damaged file information, a process known as computer data recovery, and identifying an intruder’s footprints.